0

I have an OpenBSD box that is being used primarily as an SFTP server. Some users running windows need the ability to map a share from this server using SMB. Rather than setting up individual accounts on the OpenBSD box, I would like to enable the users to log in using their active directory credentials, and have the OpenBSD box authenticate against the Active Directory server. How can I do this?

Notes:

  • The OpenBSD box simply needs to authenticate against the Active Directory server. I don't need single sign-on or anything like that.
  • This article (Authenticating OpenBSD against Active Directory) has directions for authenticating at the system level, but it doesn't mention SMB (I seem to recall that SMB needs a separate password database), and also requires some messing around on the AD server. While I can make changes to the AD server if needed, I would prefer a solution that simply authenticated against the server as-is, perhaps via LDAP or the like
  • I don't need any windows permissions or anything fancy like that, I just need to know if they authenticated correctly.
Community
  • 1
ibrewster
  • 377
  • 1
  • 4
  • 15

1 Answers1

1

The main path is to have your OpenBSD box join the AD Domain as a Member Server.

So you could offer smb shares and authenticate your users on AD Domain Controller.

This is well documented on the samba wiki (of course you don't need to enable any 'additional service', but still it can be quite a bit of work)

Francesco Malvezzi
  • 396
  • 2
  • 11
  • That article only references Debian and RHEL based OS's that use PAM authentication. My understanding is that OpenBSD does not use PAM, and furthermore, one of the commands they say to use- net ads join -U administrator - doesn't even exist on OpenBSD (although maybe it just needs installed?) – ibrewster Oct 08 '15 at 22:06
  • 1) PAM auth is not what you need: it is about letting users to login to OpenBSD box with AD credentials. It is not what you are asking for; please ignore the PAM section on documentation 2) in order to have 'net' command you need to install samba4; on FreeBSD that can be achieved with ports (samba42, for instance). – Francesco Malvezzi Oct 09 '15 at 06:07
  • Hi Francesco, I would really appreciate if you could share your AD member config on OBSD. My understanding is that for AD ACL's to work on Linux, I need PAM (getent won't work without it). Since that's not available on OBSD, there must be another way how to achieve this. – vic Oct 29 '15 at 22:07
  • No, not pam, user resolution (`nss` on linux). pam is used to authenticate (you don't need AD users to access BSD services like ssh). You need to match windows users to OBSD users. I am not very fluent with BSD, on linux it would be achieved with winbindd daemon + nsswitch. But you can save it all if AD users are already on say OpenLDAP: just setup ldap-nss and automagically it works. – Francesco Malvezzi Oct 30 '15 at 07:59